This Data Protection Addendum (" Addendum") forms part of the License Agreement (" Principal Agreement") between:
{processingResponsibleInfo}
Hereafter referred to as “ Controller”
And
(ii) ProSoccerData NV, with registered office at Ninoofsesteenweg 132, 1700 Dilbeek, Belgium and listed in the national Companies Register under company number: 0837201456. Herein represented by ISMG BV , represented by Mr. Kevin Vermeulen in his capacity of CEO of ProSoccerData.
Hereafter referred to as “ Processor”
The Processor and the Controller may be referred to individually as a “ Party” and collectively as the “ Parties”.
Parties agree that all provisions relating to personal data in the Principle Agreement will be supplemented by the provisions in this Addendum. In case of inconsistency between the Principal Agreement and this Addendum with regard to personal data, this Addendum shall prevail.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
Parties decided the following:
1. Definitions
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 " Applicable Laws" means all EU Data Protection Laws and all other data protection or privacy laws of any other country to which an entity is subject because it processes Personal Data;
1.1.2 " EEA" means the European Economic Area;
1.1.3 " EU Data Protection Laws" means the GDPR and domestic legislation of Member States implementing or supplementing the GDPR;
1.1.4 " GDPR" means EU General Data Protection Regulation 2016/679;
1.1.5 " Services" means the services and other performances to be supplied to the Controller by the Processor pursuant to the Principal Agreement;
1.1.6 " Subprocessor" any third party engaged by the Processor who agrees to process Personal Data on behalf of the Controller in accordance with its instructions, the terms of this Addendum and the terms of the written sub-processing agreement as drafted in accordance with this Addendum; and
1.2 The terms, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Object of this Addendum
2.1 Processor offers a digital solution to soccer federations and clubs with the aim of increasing the quality and effectiveness of player development and talent detection.
2.2 This Addendum stipulates the conditions under which the Processor may process the Personal Data on behalf of the Controller.
2.3 Processor and Controller shall at any time act in accordance with the Applicable Law and the provisions of this Addendum when executing the Principal Agreement.
3. Processing of Personal Data
3.1 Processor commits to only process Personal Data with the prior specific or general written authorisation of the Controller. The Principal Agreement and the Addendum determine the object and the duration of the Processing.
3.2 Processor processes the Personal Data on behalf of the Controller in the context of the service and objective described below:
3.3 The following types of Personal Data can be processed:
3.3 The Personal data relates to the following categories of Data Subjects:
4. Rights and obligations of Controller
4.1 Controller has the duty to provide the information as stipulated in articles 13 and 14 of the GDPR to the Data Subjects who are the subject of the Processing under this Addendum.
4.2 Controller provides the Personal Data to the Processor, as set forth in this Addendum. Controller determines the purposes and means of the processing of the Personal Data. Controller guarantees that the processing of the Personal Data complies with the Applicable Laws and with this Addendum.
4.3 The Processing by the Processor can only be based on written instructions from the Controller. Controller guarantees that the instructions for the Processing of Personal Data are done in accordance with the Applicable Laws. If the instructions change, Controller will notify Processor immediately.
4.4 Controller shall maintain a record of processing activities under his responsibility, in accordance with article 30(1) of the GDPR.
5. Rights and obligations of Processor
5.1 Processor will only process the Personal Data that is strictly necessary for the execution of the Principal Agreement and commits to only process the Personal Data for the objectives as stated in this Addendum. Processor will not process the Personal Data for any other purpose than as determined by Controller.
5.2 Processor commits to only process the Personal Data on the basis of the documented instructions of Controller and in accordance with the provisions of this Addendum. If Processor is expected to pass on Personal Data, under the law of the European Union or according to the law of a Member State that applies to it, to a third country or to an international organization, Processor must report this to the Controller prior to the processing, except when the relevant right prohibits such notification on the grounds of general interests.
5.3 Processor guarantees the confidentiality of the Personal Data that have been transmitted to it in the light of this Addendum. Processor furthermore ensures that all its employees have committed themselves to respect the confidentiality of the Personal Data or are bound by a legal obligation of confidentiality.
5.4 Processor may not store, transfer or otherwise process the Personal Data at a location outside of the EEA or pass it on to countries outside the EEA without the prior documented consent of Controller. In addition, Processor must ensure that the third country or international organization provides an adequate level of data protection.
5.5 Processor processes the Personal Data transmitted by the Controller for as long as this is necessary for the execution of the Principal Agreement. As soon as the processing is done, Processor will put an end to any other use of the Personal Data, within a reasonable period of time, unless explicitly agreed otherwise, than that which is necessary to enable the Controller to recover the data entrusted to the Processor.
5.6 The Processor will respect the rights of the Data Subjects as laid down in the GDPR. The Processor will assist the Controller, as far as possible, with his duty to comply with the requests of Data Subjects regarding the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to automated individual decision-making (including profiling). In the event that a Data Subject submits such a request to the Processor, the Processor will forward the request to Controller and Controller will process the request, unless explicitly agreed otherwise. Parties may agree on a compensation for the execution of such requests.
5.7 Processor assists Controller for each data protection impact assessment and prior consultation of the Supervisory Authority. In addition, Processor assists Controller to answer requests of the Supervisory Authority. Parties may agree on a compensation for the execution of such requests.
5.8 When necessary for the execution of the services, Processor can make a copy and proceed to take a backup. The Personal Data on these copies and backups enjoy the same protection as the original Personal Data.
5.9 Processor keeps a written record of all processing activities carried out for the account of the Controller. This register contains all the data required by article 30(2) of the GDPR.
5.10 Processor guarantees that its employees have access to the Personal Data only to the extent that this is necessary to carry out their duties in the light of this Addendum. The employees of Processor are also bound by confidentiality. Processor will inform its employees about the obligations in the Applicable Law and this Addendum.
5.11 Processor will inform Controller of the name and contact details of its Data Protection Officer (DPO) if it is obliged to appoint on according to article 37 of the GDPR.
6. Security
6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk for the rights and freedoms of natural persons, Controller and Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
6.2 Parties shall take the appropriate and necessary technical and organizational security measures compliant with the Applicable Law to safeguard Personal Data against destruction - either by accident or unlawful, loss, forgery, disclosure, unauthorized distribution, transfer or access, especially when Processing data includes transmission through a network - or against any other improper use. Parties will implement and will continue to implement those measures to prevent unauthorised or unlawful Processing or accidental loss or destruction of the Personal Data that is Processed. The technical and organizational security measures that have been taken by the Processor are stipulated in “Annex 1: technical and organisational security measures”.
6.3 In assessing the appropriate level of security, Parties shall take account in particular of the risks that are presented by processing, in particular from a Personal Data Breach.
6.4 Processor must inform Controller of all the safety measures that have been taken to comply with the protection obligation. If changes to the technology have to be made because the state of the art has advanced, Processor will inform Controller of this and estimate the necessary costs. If Controller does not agree with the implementation of these security measures deemed necessary by Processor, the Processor cannot be held liable for a Data Breach that can be attributed to an inaction by the Controller. In that case, Controller cannot recover possible fines and/or costs from the Processor.
6.5 Controller and Processor will take all reasonable efforts to ensure that the processing systems used meet the requirements of confidentiality, integrity and availability, taking into account the state of the art and the reasonable costs of implementation. Both Parties also check whether their systems are sufficiently resilient.
7. Subprocessing
7.1 A fter prior, specific and documented permission from the Controller, Processor may subcontract the assignment wholly or partially to a Subprocessor. Controller can only refuse on the basis of justified reasons. Processor will remain the point of contact for Controller at all times.
7.2 Processor may only rely on the services of a Subprocessor that takes place outside of the EEA after prior, specific and documented approval from the Controller. In that case, Processor must choose a Subprocessor that provides adequate protection measures to protect the Personal Data. In the absence of such measures, appropriate guarantees must be provided in a contractual manner or the explicit consent of the Data Subject must be obtained.
7.3 Processor must ensure that the Subprocessor offers the same guarantees with regard to taking appropriate technical and organizational measures in accordance with article 32 of the GDPR.
7.4 All obligations under article 5 of this Addendum are fully applicable to the Subprocessor. These obligations are stipulated in writing in an agreement between the Processor and the Subprocessor. Processor remains fully responsible towards Controller for compliance by the Subprocessor with its obligations.
7.5 For a proper execution of the processing, Processor will rely on the following categories of Subprocessors:
8. Confidentiality
8.1 Processor is bound to a duty of confidentiality with respect to all Personal Data and information that they receive from the Controller in the light of this Addendum. This confidentiality obligation also applies to the employees of the Processor and to any Subprocessor and their employees.
8.2 This confidentiality obligation applies for the entire duration of the processing and also after the termination of the processing.
8.3 This obligation of confidentiality does not apply if the Processor is required by the Supervisory Authority, a legal provision or a court order to communicate the Personal Data, when the information is publicly available and when the data is provided on the instructions of the Controller.
9. Personal Data Breach
9.1 Processor shall notify Controller without undue delay, and at the latest within 48 hours after the breach has been notified. This notification shall at least provide or describe the following:
i.The nature of the breach in relation to the Personal Data, where possible with reference to the categories of Data Subjects and Personal Data concerned and, approximately, the number of Data Subjects and Personal Data concerned;
ii.The name and contact details of the DPO or other contact where more information can be obtained;
iii.The consequences that are likely to happen because of the Data Breach;
iv.The measures proposed or taken by the Processor to address the Data Breach, including, where appropriate, the measures to mitigate any adverse effects.
9.2 Per request of the Controller, Processor will report the Data Breach to the Supervisory Authority in the name and on behalf of the Processor as soon as reasonably possible and, if possible within 72 hours after the Data Breach was discovered, unless it is unlikely that the Data Breach contains risks for the rights and freedom of those involved.
10. Audit rights
10.1 Controller undertaking an audit shall give Processor or Subprocessor reasonable notice of any audit or inspection to be conducted and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:
10.1.1 to any individual unless he or she produces reasonable evidence of identity and authority;
10.1.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller or the relevant affiliate undertaking an audit has given notice to Processor or the Subprocessor that this is the case before attendance outside those hours begins.
10.2 Parties may agree on a compensation for the execution of such audits.
11. Duration and termination
11.1 This Addendum applies for as long as the Principal Agreement is in force and terminates at the same time as the Principal Agreement. This Addendum can not be terminated separately from the Principal Agreement, unless the Parties agree that termination is necessary to comply with the Applicable Law or decisions of the Supervisory Authority.
11.2 At the end of the processing services, Processor shall, at the option of the Controller, delete or return to it all Personal Data processed under the Principal Agreement and delete existing copies and backups thereof, unless the Applicable Laws requires the storage of the Personal Data. Any costs related to the return and the destruction of the Personal Data are at the expense of the Controller.
12. General Terms
12.1 Nothing in this Addendum can be transferred by one of the Parties to others without the prior written consent of the other Party. However, this does not apply to the transfer to associate or acquired companies or legal successors of one of the Parties, for which no permission is required.
12.2 This Addendum contains the full will of the parties with regard to its subject matter and replaces all previous or existing agreements between the parties regarding its subject matter.
12.3 The nullity or invalidity of a provision or part of a provision of this Addendum shall not affect the operation and validity of the other provisions. In that case, the Parties will endeavour to replace or amend the relevant provision insofar as necessary to make this provision valid and enforceable. In that case, the Parties will negotiate in good faith and will strive for an adjustment that leaves the original scope of the provision unaffected as much as possible. If this proves impossible, only that provision will be regarded as non-existent.
12.4 Titles or subtitles in this Addendum are considered merely illustrative.
12.5 This Addendum is governed by Belgian law. In the event of any dispute regarding the execution of this Addendum, the Parties are expected to do everything in their power to find an amicable solution. The Parties will provide a reasonable interpretation of this Addendum. In the absence of an amicable solution, the dispute can be submitted to a centre for arbitration and mediation (such as CEPANI) or a competent court. The exclusive competent court is the court of the judicial district of Brussels, being the district in which the registered office of the Processor is situated.
***
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out below.